Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
ac2403837512ad8a207b62808b531f28
-
SHA1
43c81390a338210b187790cc9a289807d72fa520
-
SHA256
5ac96898c36d27f7dcf8f15eee84d9b363a6e3c400c487852d581fb95b7d11e3
-
SHA512
694a7d5b84c35373194b9bfb0fb360b424e2cd651d11f36f44631c2d910194140b61b220edf1716989a441f286b426d74e53fed64ef2646a6db5f07cde7322c9
-
SSDEEP
196608:bP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018BC6:bPboGX8a/jWWu3cI2D/cWcls1d
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 1180 alg.exe 3160 DiagnosticsHub.StandardCollector.Service.exe 1440 fxssvc.exe 4688 elevation_service.exe 4740 elevation_service.exe 4564 maintenanceservice.exe 2668 msdtc.exe 972 OSE.EXE 3272 PerceptionSimulationService.exe 1896 perfhost.exe 728 locator.exe 3600 SensorDataService.exe 2160 snmptrap.exe 5000 spectrum.exe 1016 ssh-agent.exe 2988 TieringEngineService.exe 5100 AgentService.exe 1520 vds.exe 2512 vssvc.exe 1084 wbengine.exe 1252 WmiApSrv.exe 2232 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\cbe737e3c8648821.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a07453f242b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a07453f242b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dac6aaf342b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d0ccdf242b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccae6df242b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a4f2df242b0da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041eb49f242b0da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004221c1f242b0da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe 3160 DiagnosticsHub.StandardCollector.Service.exe 3160 DiagnosticsHub.StandardCollector.Service.exe 3160 DiagnosticsHub.StandardCollector.Service.exe 3160 DiagnosticsHub.StandardCollector.Service.exe 3160 DiagnosticsHub.StandardCollector.Service.exe 3160 DiagnosticsHub.StandardCollector.Service.exe 3160 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe Token: SeAuditPrivilege 1440 fxssvc.exe Token: SeRestorePrivilege 2988 TieringEngineService.exe Token: SeManageVolumePrivilege 2988 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5100 AgentService.exe Token: SeBackupPrivilege 2512 vssvc.exe Token: SeRestorePrivilege 2512 vssvc.exe Token: SeAuditPrivilege 2512 vssvc.exe Token: SeBackupPrivilege 1084 wbengine.exe Token: SeRestorePrivilege 1084 wbengine.exe Token: SeSecurityPrivilege 1084 wbengine.exe Token: 33 2232 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2232 SearchIndexer.exe Token: SeDebugPrivilege 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe Token: SeDebugPrivilege 4756 2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe Token: SeDebugPrivilege 3160 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2232 wrote to memory of 516 2232 SearchIndexer.exe 113 PID 2232 wrote to memory of 516 2232 SearchIndexer.exe 113 PID 2232 wrote to memory of 4676 2232 SearchIndexer.exe 114 PID 2232 wrote to memory of 4676 2232 SearchIndexer.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_ac2403837512ad8a207b62808b531f28_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1180
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3112
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4688
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4740
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4564
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2668
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:972
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3272
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1896
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:728
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3600
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2160
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5000
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4992
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1520
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1252
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:516
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD56fee6d44795cde035fcf8923088bfafb
SHA13c2b2bd252689f4542915272e63063a0d575a9bb
SHA2561242814b2df4aac06ccc745f4cd5b76c9914c4f4e431303f59f79cbdf9de0f01
SHA512a066de6791e0da7f024c1f4aa28f882a1be3462978de385d90d1cbbfa33b8eea8b5f51681b6a29fa576fc26f6ea654605495380cad5ca6f2e30ba1ba464ac6cf
-
Filesize
797KB
MD5321c0146b6531ac1413a4224fdac22f8
SHA1c61bbc86e7c54ea50847a72887cb9ba171ddfa89
SHA256bf35ada22803169a6af5611976c6094dd880bc81ec9162672f2b38facb5d36f3
SHA512bcb8fdca863d051ede3f6eb8bd9a262bef4dbb31b3f1b181494f48576adbb37c78de0c534dfa84412a386b632db4bd62e0758e94640f0a23a50dcb37d6ab021c
-
Filesize
1.1MB
MD55e2c05a6c37e793a9219b0f79ea4538a
SHA1dd5d51b90085206e5bb960d4adf55ffaa46b2ee8
SHA256d2707d22d16dc7f43cc42355be62a7100c405cdfe8326387be45d72b50bdf4c2
SHA51279b0bf82ae752b91a7efb5eb0377b45c72f270aa1aa33f835688a7df4d2525dba44f25f94f107ebaab359fe0fc9529970733b3217af329a49e333a45f864cefd
-
Filesize
1.5MB
MD54b7abe0096dcc693760aa8551769b9c1
SHA132a34c4e50c79193587ddc93d468dbcf6745e0e3
SHA256504dec55ab278ff49f80b1382df5df64b6229828d69cdbcf75aa9dd90c4a8aa8
SHA512ec361b7299facfe3e352b9beb36fdaee5ffe559148a7e1e24ec7699afd1306a58261a6d5bcf211fc54be4b88cdb6221b20647e5eff38a55d411b5b47b2ef75b1
-
Filesize
1.2MB
MD58f8bc5e234b8825fee5c8edad19f98c6
SHA10fc2e04d0d78efff3f4982c75123d967d1f2a4d5
SHA256672511846c8bce83d3de41012454b6b24c02e75ecf62466cbc6cf01cf40b2958
SHA512b402f20954c497b74b8373176380b9ea180c3b92efa4d821465cfb0eb676d8de7be6041b2e7da8d061a0daf2fa2c500d99246efa0cde309178583f99f999b917
-
Filesize
582KB
MD546fb44f4e122d4967429cb357ccfd39d
SHA1d4d91a8a486a541472d70be2773a436dfea26504
SHA256fdb0a1678ba2a5534bc93380814854ccb34475175f1ec128d2055a17bfb6037f
SHA5129687b8a75d82bd66afa0a363763f6626da9e12cdaf67e59538e70cea6e62a91076bdfad307466d8ca770821e73b2b0fe046c1a005272513118a450a28403a439
-
Filesize
840KB
MD5f104757cf02c117c703ad1a9c4de1bf3
SHA1242abd9c96d417730753c6c46c65ee4167126a5e
SHA256f35e793e0d9389fd57067781346be1f1fc02961ad1e917d9a79f1dc1af0c203c
SHA5128027b24b54aac4bac9e2dced4f7eecbf6bec91e4e600f484dace3c6060134ba7b82b82adc22b97234742d9690685d184cb9dff30de5566616b9e8b4eeb5376ff
-
Filesize
4.6MB
MD59bbaba0dafe252766f6ab7e9cdc9c715
SHA1ad52a671bcfd658b8c55d032ed57e5d2f4ac3e93
SHA256e842325c1ba5f55ba777b96ff4f1157f3c6fbc81aa3a5bd05c89546d4185adb9
SHA512efca39463583d5d5f39af46ed18db16269bdb2e1628f84a577d2219f1d067674c8bbb53e74f028e96623c0d1d46dbb8d5ca07da357cc2fc7ffc852ef902906e3
-
Filesize
910KB
MD5ff9404efff89ab1f081cbc240d6037ba
SHA132199ae0713be164fae643efae19d72311b1d4fb
SHA2566fd3b8c1dcc94a5e0482ce33a86bb37929718800d77efed0db5a7c845ce08d62
SHA512eab0fe832aea8e13876825a1e7571bf2abc411432fb7fceba082fc403757ad20432244d86ffc4c4213a16c5a79c797458de79d487bbaafba18b0f7320cba4350
-
Filesize
24.0MB
MD5a504a8f852a19da707b9361ea28b6f3c
SHA1ff61d9eaa06e53bfd772c16f77c1446c40d1dd7a
SHA256ad8a8bd40b23d45e788bf663460356bf82c7e29445cf5a6d0d39c193f1165aea
SHA51210e8d4a64a6934672d24dce43e713e7e6a49dd1f3ee226ba2d95cbfd4b6c73a85a425154484aa5a23d36d6130a3398e18db0d1a31a2e9bbfef474a6d281e19ed
-
Filesize
2.7MB
MD58203b1cac7d26591b790aa52b361ca57
SHA14dd9af7aa679099d3f5579308170bd64b0d5defe
SHA25681df5c0fc7c0842314be1c5dbb0d4edc80a8df4b566f73316e03bc9563a63848
SHA512671c77477e7cad329a2f9b4e5c1c31e0d1e9086fbb36cf0c931374b27909646ed489e477c2748d10fafe524ae3562b427978035de339a2926cd363dbbe7dd42a
-
Filesize
1.1MB
MD533c20dd4796c78d3a2adc4d5efc4ea50
SHA126704fd457e0b25aac739f940899f2850682f87a
SHA256b5c8244f77621606d6eb2c8354dbd579bff38fc714330e5aac70dd69230f5416
SHA512f7f7c8c98397d329db3b0dcc66c6f805bc4ba22988854d80a559505ac1b0be614fa693e86d7d80170d254688c0700e99735cdc8b666cb0c82b1af97959226af2
-
Filesize
805KB
MD519ad9e2b6e655236c3697aa53188c3f3
SHA10c00127e9f3c390dc12ba95205626dea7a6b1ed2
SHA2564e0ff352e18b8d927b807fbca436e1b5e2224c3cd1c2a4543d3dac14286fd840
SHA5122a7a2eebde62a71ca23baebc5e348a466ae1d9ff7427781a992d03123e0382e3461ea0924cea38f2c44e49123399cddd87da9e36930d3e30a947d180df34c106
-
Filesize
656KB
MD5644ff66cf4f2ae5fcfb1f0649c42f0d4
SHA1894c53e9f9fe2704458686d4cc287e2a7f17a492
SHA2564ba10eece5c8b3571c5957db471aaabc2680a9926e4495c529466e40193a2300
SHA51211fd731b5b56b24ce302265ecff412bddb9122092d23a0553c156c7b32d38f8298765b87608b5396a38cecb7bce2187f01e25082520629d81511a629a7b8b039
-
Filesize
5.4MB
MD55c1210db8be05e17c42cd4c45eac58df
SHA1042cda3a229d18059172bc689859ca8acb2baa87
SHA2568eb4adadbb4afa2221c70e29237647ef24d51f7ad3ed10f203266cce7aab58d6
SHA5126fbca61903648bda6bdc4e597ebd9a21209c4e74296fbdfb89368ea4e031e9237b8621a4eb68cd987740b878f13a2f574631c2e15cf9d4f2556180fdabf8a80e
-
Filesize
5.4MB
MD516f640c3f13effd368949f3e3dc85d2e
SHA1ce330d337fff2e6c6f3686334280a8679526b933
SHA256e85b823bc9560a6e4c2dd251b80a8874883cd3e077d93765fcacf68240012cde
SHA51267f061e9be923c50de395144ff0e6e14a7044415c1284e944d5a503700e48c2e5684309a64075299cb0a8c403fedbdc422093a86dcd2a62642086a59afd9a952
-
Filesize
2.0MB
MD5f7ce9756a471b03d5a2710a62126a653
SHA1d456992b84a902d4ab2d954d43692c3e2dfcc748
SHA2564cdedf2b83b097a7543c68d10598a9bb400e517e32292f1ad9a07edf66d32ed9
SHA512c26860d539396812c481c648557483a8ed410cdff7cf5a2e8ad4ae991686fed5377e526397b9f384be43dedd68afe83d47409cbbe8bec7a0743105bce061f906
-
Filesize
2.2MB
MD5782e087777aaf3cfeb142729a3722262
SHA1238ca507f1588a8bdf85cd745e7f7e438cadd696
SHA25686f42bf2ac5e9e852a4392266e2132630cf5adb8c0beb48215f4596e93c6ec46
SHA512d7a1a6d6642ba7f69a9451589b469bd3ef43ceefd3d846e8827bdaaf2c9b72b559770f9a426f7aa6f9546b07eca1e678915dad5178556c78b405a2a01d7caf9b
-
Filesize
1.8MB
MD5d44b17f744dc58e1b61ec1b7fa7228e8
SHA1d5c13779b80f9f6216b46caa28b039a9fa8ca1ac
SHA2561b776aae4c8798811afa42afabcf4fc9e5e336437af6ad45b96c7131a0e82c03
SHA51258575a9ffbfe46ee1669c9bfffffa9f81dd377553ffd457b4bd0fc186010431b932559fa4ce9c4e0d1b9dcc5500d9fc39c10d911e1c35df7ae565230830c0910
-
Filesize
1.7MB
MD529a3bb6b05cb4026dd8dd730502b4a21
SHA1440d27bd5d868e72dee2ebb874f7df12c14b62bc
SHA25666a6a11db318df56b32064864ff17a70ed2388355012571c42f61c9e825e974b
SHA512ec9bf28fbea73cd72fcbf30a35b3d599d198d5707be392c48902751640adfdf0bc5096e16357f9962c19cf24779f20994d3db47f1220acabb6941b50e18ad295
-
Filesize
581KB
MD58ff9da9856e172d688db5014110ca47e
SHA1dad289e70f2e9fe2e65cc79ad1caa512ef706283
SHA2565c9daae097e183eb52c765a753d8af9f8fad5c658552acab8da26d4023fd1f1b
SHA5127ff16cff2d63faf9b77658e8f60d8f56f6cd9965a09d428b3a06dfddea370086955a25606a6cd1f5fca6671e186393c2b90358729dd6d413a631a21206ed8bdd
-
Filesize
581KB
MD53006bffc79ea4224cc1eda96eda5bbd4
SHA1772fe97ea1a63b9333b78d19596e4969778537d1
SHA256b95e614d1fd933ee2b056e9a76f3f3f32b492ba0ee1dc6dcad2f5a725f862d9c
SHA512e94293b28443831d221f48800024dc548e041cfde88ae3494af72a09409bb3168a2386b56ff3be1e206b36e95b0ce8a48cd76b10d7bf81f45c966c65371785b1
-
Filesize
581KB
MD59a17ed56547320d04ab5332b341beb68
SHA17840133a71e3c72c176eba69ed998e48d7724287
SHA2561bd03fc4ba47d112f1b50f1b34f7491df7e7e5c136db0bc3b97755836dafc051
SHA51263cef9bf4b9b590a47ad70eedb41332cc60f7e59d9bccb66fba51f4c774d2685e5c1f00ac8c2148e2488e172f33e1c3fba56e5f35ead2586dd6de891ec0e51be
-
Filesize
601KB
MD574057c068e2b94192429f9dc5ca85ca8
SHA170794514a735bafaced994cacdc11935ca92b899
SHA256d5821c7768621cb18b0bfc6bdeb1c6a6bb98de77391eaf940bfbd78e1777088d
SHA5120093c544e008157cdbbe95da7ce550a90ac81aaf788ebdda418fab8032d517609ff376f3ba480c498c23a9c6d98d5412e373051d0830dab273092242fb4cc3e3
-
Filesize
581KB
MD52cf6a0d71647ab1322f0b560c8f5c9d8
SHA1a80a21572a0fdf0f36e8a5c9538e27590239597a
SHA2561108e33b286861d8e0aa931d7994bad89f221bf05d8656f51446d20954e61121
SHA51288477b3220b9af821841cf78deeac8fae4ecb046ee987ff55b925e2ee4e4c6350b5000df529a5664062016ca0a57f8f2be2e090c5cede729db4745f4eef4326d
-
Filesize
581KB
MD5b85fb642210d19cc7e64a156cd42914e
SHA1c5cb4d3f6265dd68ffedc6b2e7b8360f2a61e75b
SHA256718912ce9d13ad042a16e117a8b5e646abfe9aceb754464708a028011dc99711
SHA512c0ea886d7e3be17b93999791fcadb21494b1ee790b674d7621dc526c539a04f9add9fe6c79202f00d1b9bd983ea894697e70615f164a85c67953bc61b3c3fd2f
-
Filesize
581KB
MD55726db91f553ae0148fcf13c341c1256
SHA1f62d3d642e85eda6b47fd17b5462d541ec0b4e40
SHA2568b51b5ce71872d9cbfdf8eb3c65e693ad5ab53916ac0015f2679a9cd88da9cde
SHA512aa3632d832ca22f28ec98af404afe24a504a1ae286bbeabbcb01067eb907f5e55498167030ce4741cc835c1470915aa575fde089e11231429cccd3aa3bc97588
-
Filesize
841KB
MD5e273c6205478405ed4fb771f1381309e
SHA16b517f257b9b682bb807a95f714949870121fb8c
SHA2565b480fd0d2bf526203647110d338d2d1228369bd096039b037959ec1960e92bd
SHA512d51efcf7dcd75ca5170fb4a7b36f1a48fb5e1959497364d334780b251595a2b33e07c9835ea3b7f7e71ff0b67cff67d78f8d2e8007907a40e15eb59f536ff03c
-
Filesize
581KB
MD5f55810bb67e17e04efedae2981c6dbd9
SHA1a7d1a7bd28a668ed9408c86163cf04ad645cec40
SHA256757955762b114b034b4ec6061f7c27d05ea3707c4c0aa4bc593719e3b2660959
SHA5125169878f5d0a02df3d6c06bbb384f71325970343cfd90b83bbbb167832af950850dc87d64295ac567dd58b5950cb6eb827bdf1963bbce43fee43c83d4c0eab56
-
Filesize
581KB
MD5ac139ee9a752b8642ebd3e002f464703
SHA14ce173e450458e3f30d15eca4e06d4fcafa7685d
SHA256da3c4709f0ae780c88d87e6be891d04190f54d06fecd04fbb01de1c6929ddd89
SHA512c317845749b258bee30ea454148e784af8cf2146f07fadda5fea5ac420a90aa828dbfef32db428e34987ced1a132749f439b8b5f9e902ab97b65114794048e19
-
Filesize
717KB
MD5cd8de83a0d2cf6515b6154d1a967542d
SHA18b56723bdb0db0ff1d0ea04601228b1dcaf086f4
SHA2569f3166b19cfe5d4f5e4f2089a53694aa36580d3bcac3e44fe6fb910f95128b24
SHA512880df46bb50273eb33ffd28668d63596b9bfe71e363be2df8bdcbf8deec243fb4412a3fb42c878833597f53fd50404aea8aea7c2482e688a95f8820df2e636b0
-
Filesize
581KB
MD52fa39c4b75c177996fff7b95e5ee7e42
SHA18b601f6291128627028c51acae4e21bf876e976a
SHA25630d0c1b2bb611cd714ffdc0a4aa3eb33600b0495bf64740f2847793768ebb992
SHA512e42d268cd0334cff0907fdbdeb15bb2811ab533ae8585e7a08948cd439e5a9f26e8e4177c390f032bdf25b48fe545edc4aeb1a04d5d73f441155bbc5df8491e8
-
Filesize
581KB
MD5d32d133371618e4f1c88bdfb4f7a4275
SHA1f6f1bd4b3f19cffd3695e267d6c895d4b50e6dc9
SHA25669756487b64166568455c751af67f449112b8bf7f52dbef2715e12ee5f9dc934
SHA512c64d9940f59f648e1498ede095f0c83de814c7cb0dec7091bb69b22929439a35040dcd0e3274e95a47227f6763553788ce309d3d61bdd273d3e1933620694667
-
Filesize
717KB
MD568e3f3f2fc62b7050d1cc06287e282fe
SHA169d433d8c4349d2bcffa15b3b01ce8be07fe535b
SHA25644e7fd3a7e5826fc4a517feeaf852d8e4620893335080a47d8e8e129adab9dfe
SHA512d642b14960299fa0a45d3adf3e1fd735ac54312e3aad3630d9fa4d80ad1b0cacc2ec11abcac3a36f0975cfd5693947ee217d2008c9ad16b2a601aa15a4f4a875
-
Filesize
841KB
MD5899fff6951b4bc8b5ac7261133f8d3c4
SHA198b6f7c22a833179f43fb32938ebc23df325b5bb
SHA2560c5f5d1051d69f9b93186566bd7369f62771db573bd5150622848400fa1a504c
SHA51233e136c839feba3301aea953e2fe0418dea4679fd5e91a87ff559de3f51a21ac518af8b686ecf5e3c923706b16d0eedd032c16895dd4b93e700efa919c1bf9b2
-
Filesize
1.5MB
MD53a5f6ad64b96fbeb8d208ebb5e268056
SHA166f9b4641c14ca4e4e0d42cb2f99f89e9aeea736
SHA256b5e65125b93d73beb5238bbcdbc98c0229c5ce220e706fecab821c768e7e346e
SHA512149fb60b061b49700536a86e6d4de0b29f4a6b6542953f1c1613f8b3b016812d1380d1397d360d2e3c1c759b204ad5204062732fb181b3d78a11f4de741530ea
-
Filesize
701KB
MD5ce46894d2a63f28f2347f99338585da7
SHA178cc7394608b1916c77abc2c1154fa113272b509
SHA2567902f911b4348ee6588db7bf3f9d97f401760c983db4394c95e5861f9c2655af
SHA5128858618f31c48cf449e168dd489f5c5fe5f264c0ce866f54a1dc8ce5005e2aad8574d922ee4fb6953f41fb9c702ab32157f24c1a3f1fde289939a2bd93411b5d
-
Filesize
588KB
MD5dae5b5a6f156c5b4fd42386747e737ee
SHA1d9c79591095953285ec8e6dc6a4b63943f8a9181
SHA2567dff9f0113a1d65e9d599699db22e63d57f78adae28e1d5100712fbef0a5cab8
SHA5125360efea1bcd04a937345f18a1755668dcaf52ef201c05d6310935a6f88e1f454531f4eaf956f66ceec491ce8e48815ab83bebf746013a6183153af7b2606f31
-
Filesize
1.7MB
MD53b11f436bb02421bbfbd37bd2a56941b
SHA1c5f7a2137a755ed2ebf01b2340ab8639d686bd28
SHA256ef7d144001d35570b23bed7a9bc4bad1af31a4b4b793c817dafb594c09b5a6da
SHA51248560ee83726fa0ac9f911621701db44bb94e3daf6272f8a28607b99a1c23184cfac075ee72c187f1dbaa94c3ad2183fa698a62dac8b7744a541e61b37e0574a
-
Filesize
659KB
MD5e570f10c6fe0b05c4e8effd4dadd6a30
SHA118ef03d023597bbbb41ea2450fe9cfe6faa33eb1
SHA256e248b92c68be46a93df5031c31cb84efbf3071233796bb068748d26f2ac6c3fa
SHA5120a43eba507a639b3782a9f8d30fa98727219ef163156b17b4265db11374c0a2366e80abb849c31bfd9863da13f034dfe8a02cbd97db7fa78c3329b97dab5768e
-
Filesize
1.2MB
MD54756822c80d4f9736fe839b76eaa3724
SHA1e2caf3a7bfeb242cc7e4c49b7e71b5edd110c9b9
SHA256b6e2034bad7531fe24c19a98a1b246bf62a9852714aff4ee5ad593686da5ba03
SHA512259da6b37218a8ab3185976fd441e82766a4ba7f87e3b14b695c81396b57d39ed3339cf1a6136233a71ec91950a2a43243be50a98f46eed07b0f97650938c291
-
Filesize
578KB
MD580dd2d779204b81860f7858f662a4a5d
SHA1591aeba9960ab086ded01d6fab300c21f668683a
SHA256ee3838389ea4f1623f59b64321a902c3be4d78de6ed5ec98edc7461d7048910f
SHA5125919275e8cf26b4aec0a12e996dc4d25a76907c81d103a3772a53be7b5323ace45a6b84d844893d53b6b9fdf6da31858c2ddf06213a728075a7e2f85e9b3587d
-
Filesize
940KB
MD524c0862a8b4f93c4d7d60ba984e021d7
SHA11747f3d3b7536d157ac3b256e66efe48f03621dd
SHA25666babca151b37c63ab8c6c1f9cc5d59afd3c3b913f294234ebd9767e3fb52383
SHA512258449617ed497837637fe258ba22a72ff3a4c7df2a09b4434d94ebe83b317c42ea491d9467b5188b9806523d3bd9a8c70fbf28850579d88473a0565540e51e5
-
Filesize
671KB
MD596b1a4e8e852d5e021fff720ba7137f1
SHA18be99a2ae0293672a948432eee1fa5792705800e
SHA2567dae800d596013d57b519a8e5e275d1098199b21cbc781c2ad9faf2f403cb34a
SHA51274eadfcf5f14b4eaec69744169fabe6081567baab2f5cefd9679fa5dd094e8eac360a6c3934e86f7276ffa53cdb3165991f8525a8c9678638b13a776e2b91e99
-
Filesize
1.4MB
MD547d420422783092f5384f3a036051279
SHA1152559dd0cead029a033f239a5327bff311a4afe
SHA25604ac22fd6bc1f91fe234e0054ebd4cf253ec70ec67c9af615d1dab2bc2fcdb51
SHA51218f7715aac209ae694a2f8eb00e8284d6aed7103933bfa5b59d1b8ea98beea88495b407c78f48527f249a8e78e8fbfd8245f3ac2531a49ec864ef1975276d82d
-
Filesize
1.8MB
MD5fba862c1e93cb19d625ea9ee262b8d90
SHA1915aa0a08bfdfdb1042f8721d5e44994cdb05062
SHA2569c4f3b38d4963cd6c13dd95f07a6d403fadcd634540c1a761403302cb0e3c351
SHA5123ef164a1299f69df16965e952c1cf8c68521b3b23f04bd34a8a6cf7e74dc5940952fb2b6ec3b52f9560eb233b42b085ae5aafbe3ba178dbb124ee9082add2d98
-
Filesize
1.4MB
MD578410319a76fd33fc8724e71c672c8bc
SHA1f6bae902700165fb81e9e1a7176ad8c645c2ff0a
SHA2567789f5d684a299a2cbde01c1a0dc5cc34567bac5058ffde7011787b670685069
SHA5129adf9aa1f84362a4baf3c83320ce7807f785ba3c56a75e444d6488c09364ebf866476f8481a7eef38097b25f18b2b688886da5df5e4cb666b49cd956cbb9f3f0
-
Filesize
885KB
MD5c45ccdd29b1170f191d3464a9c7b87f2
SHA1b69c3e34660f12e8afd070fb237f7926bead71b3
SHA25664d006d56bb2948ab8996ec5bb98c6a93b2aefa90c6865020faa51ef4f5b0138
SHA5128b9e0cdc61243ed3abff0a7ac640e437820b9cd5017e9188ac4f8f36c6f960391082dd2ec481f29c65de6e50395bfbd530c8807166ea59cd216fceda4cf33a0b
-
Filesize
2.0MB
MD5a343ac10cca7f5c5311e8bd6b582d5c8
SHA181178aa0929d81f28e4cbe52207dff7cb0163221
SHA256e099c0d979fe80067c7758f208477554e3116c019be493bbc82c208b5b1a8684
SHA512e8c9b89d41ca9d1a55984d90297b1391884c75dbd6eb1b36c901d79e5b5c95613b23ecf8ac031e622b04f61d362c680cfaec683d93fb831218ce0cc77909a75c
-
Filesize
661KB
MD5c04e70e3605c490cfe01e2ae8a7b73a3
SHA1dd7c41792c3483ec4d67e6fcb512a0ebbbaed25a
SHA25680180dde83eb7aa29067e64b1d2b72a776ec6c338ee48a7487bd911b7a9bf91c
SHA512b7551e064912a45cf75edb2201469f4255f74695dec34f198a4cc236f4b28b27cf8fdaf6c6e8d5c77da90adbd36cc376335490b86faede376b8757eead902c29
-
Filesize
712KB
MD5934721e7caf55698075cce79b247fe99
SHA17e618b10f63720ed2a9f60aeb698f9fadb501085
SHA2569246ad58773dc32f8622224d1f5083a315f935a94de82fc432a10787028bba33
SHA5122d89df3e1ed7449027ac63a0db90142632a2266adca18a4b235bec8b311a4a28ff5e3780ebd28e8bcc7189ff137cc0dad4395b94ca1a64d2fee41869781b6d3a
-
Filesize
584KB
MD5a4421e265bcdf2258ea9c0dabc2b05f8
SHA12da15cec8875f581d77bdbb4099c3359ebeead53
SHA25605ae50b2b105435c4affc2b384d19e4a344450e878e1eea52ae55778e0196884
SHA51287ff4d63698d664b7d5d1f83374b45fadf8193be919b296b9d71ca515976585958541bdf9aeaf763028785e2f591f52c92f8908fd61c49a4fe951d50a7288cc0
-
Filesize
1.3MB
MD511764cac41d29eea4cb3274e0f2ede33
SHA1a5e7df4fd6fc385cb0d31b2d098ec1c115f22204
SHA2563094e92ccccc5d99644a63fb5c0fa252498651786d7a95390df6873a935fdb5d
SHA512864cf75b31a7143561003d50a565d6f862281583522c0378ce326c136b2ceae85c85c366c7a7545d2d249cb453f817d10dcaebf111b8861ffa9ae9800c17d020
-
Filesize
772KB
MD5308433c709f4b6bd78f25f61fe8a3996
SHA1d3f9cede090ad1ce262cf3d0d7b6dd41c9c9039f
SHA256c32e0b43d087aac72ce52cb4ae11993fa3285b68dbcbb64eeeb52b8de6fd1da0
SHA5129d04139159be170fee54387f89f1c112c7f37f639fb60585cea69854919ce96bd215664c38e7f3155c9190ae2cc8e41faeca0482a2bf9f34966564f63ef1971b
-
Filesize
2.1MB
MD58bb0262ec24206500d6afe9ed2f6eb86
SHA111dbf1bc0a0f475506883bb044558e1bc439fdf1
SHA25626d5111ba0c7678acdf42d7de2858b3871c09004764afc664e99652e3c9205d4
SHA51213788eb07a6e14a3db2af7a6686177ab9c5dff45a961e175e8a05c8ac1edfee35acf7c60caf84173b679706bf815186a2100f6df89a2a1d893b017abf994837a
-
Filesize
1.3MB
MD5e0e60706e6a221744a2016527340bc5d
SHA18fd8a94ac86e5aa50215a570e4d0da58afd5e580
SHA256f912e52c6af83cd15d9ee2a5ce94a8a9a7ad62d2a99f2f4dff1104f9ed62b050
SHA512ecaca7c21ce1c6642c2da9d9bbdb861fbbf673c87195c0851361ccc27029813fc08d31e9c2a83b74fe8be550f76c82c9e9c88504cafad503622feb15b2ccec21
-
Filesize
877KB
MD58a3500edd01129d7e9efac7b614aea04
SHA16b1af93a4080eb5747a8280fb9f209a11a50d52b
SHA25668778e83dc3aaa036cbc0c69a425b5d23809b19f65a929edb60cb81c666c8404
SHA51201959c69fc8d3e424a6937bcfbef6c335d5c0c5107adb5614997ac2c3c33e5cefcc60ee211c1623beae3e36f89dad8cb153024254ec7fce1f740c01ee8ace668
-
Filesize
635KB
MD59786498535d7569f95d6e4fb284c3798
SHA12e5778c636bb03043da67a98f235f27887431277
SHA256893ed05491221c1d7c44454c1ec183df174d50fe59e5f8091a87ea67214c55e3
SHA512a5da9d2a593593ff1ad8b0f36602554b9c391f0abc8e42d09ecefe64bcc3025cb2ae1c9f5c7dc54a4f9f55ce1af97c696c4756f0e0ba94e43e14281a46e1318b